Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update rust crate gix to 0.62.0 [security] #13760

Merged
merged 1 commit into from
Apr 16, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 15, 2024

Mend Renovate

This PR contains the following updates:

Package Type Update Change
gix workspace.dependencies minor 0.61.0 -> 0.62.0

GitHub Vulnerability Alerts

GHSA-98p4-xjmm-8mfh

Summary

gix-transport does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs.

Details

This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. Since https://github.com/Byron/gitoxide/pull/1032, gix-transport checks the host and path portions of a URL for text that has a - in a position that will cause ssh to interpret part of all of the URL as an option argument. But it does not check the non-mandatory username portion of the URL.

As in Git, when an address is a URL of the form ssh://username@hostname/path, or when it takes the special form username@hostname:dirs/repo, this is treated as an SSH URL. gix-transport will replace some characters in username with their %-based URL encodings, but otherwise passes username@hostname as an argument to the external ssh command. This happens even if username begins with a hyphen. In that case, ssh treats that argument as an option argument, and attempts to interpret and honor it as a sequence of one or more options possibly followed by an operand for the last option.

This is harder to exploit than GHSA-rrjw-j4m2-mf34, because the possibilities are constrained by:

  • The difficulty of forming an option argument ssh accepts, given that characters such as =, /, and \, are URL-encoded, : is removed, and the argument passed to ssh contains the @ sign and subsequent host identifier, which in an effective attack must be parseable as a suffix of the operand passed to the last option.

    The inability to include a literal = prevents the use of -oNAME=VALUE (e.g., -oProxyCommand=payload). The inability to include a literal / or \ prevents smuggling in a path operand residing outside the current working directory, incuding on Windows. (Although a ~ character may be smuggled in, ssh does not perform its own tilde expansion, so it does not form an absolute path.)

  • The difficulty, or perhaps impossibility, of completing a connection (other than when arbitrary code execution has been achieved). This complicates or altogether prevents the use of options such as -A and -X together with a connection to a real but malicious server. The reason a connection cannot generally be completed when exploiting this vulnerability is that, because the argument gix-transport intends as a URL is treated as an option argument, ssh treats the subsequent non-option argument git-upload-pack as the host instead of the command, but it is not a valid host name.

    Although ssh supports aliases for hosts, even if git-upload-pack could be made an alias, that is made difficult by the URL-encoding transformation.

However, an attacker who is able to cause a specially named ssh configuration file to be placed in the current working directory can smuggle in an -F option referencing the file, and this allows arbitrary command execution.

This scenario is especially plausible because programs that operate on git repositories are often run in untrusted git repositories, sometimes even to operate on another repository. Situations where this is likely, such that an attacker could predict or arrange it, may for some applications include a malicious repository with a malicious submodule configuration.

Other avenues of exploitation exist, but appear to be less severe. For example, the -E option can be smuggled to create or append to a file in the current directory (or its target, if it is a symlink). There may also be other significant ways to exploit this that have not yet been discovered, or that would arise with new options in future versions of ssh.

PoC

To reproduce the known case that facilitates arbitrary code execution, first create a file in the current directory named [email protected], of the form

ProxyCommand payload

where payload is a command with an observable side effect. On Unix-like systems, this could be date | tee vulnerable or an xdg-open, open, or other command command to launch a graphical application. On Windows, this could be the name of a graphical application already in the search path, such as calc.exe.

(Although the syntax permitted in the value of ProxyCommand may vary by platform, this is not limited to running commands in the current directory. That limitation only applies to paths directly smuggled in the username, not to the contents of a separate malicious configuration file. Arbitrary other settings may be specified in [email protected] as well.)

Then run:

gix clone 'ssh://[email protected]/abc'

Or:

gix clone -- '[email protected]:abc/def'

(The -- is required to ensure that gix is really passing the argument as a URL for use in gix-transport, rather than interpreting it as an option itself, which would not necessarily be a vulnerability.)

In either case, the payload specified in [email protected] runs, and its side effect can be observed.

Other cases may likewise be produced, in either of the above two forms of SSH addresses. For example, to create or append to the file [email protected], or to create or append to its target if it is a symlink:

gix clone 'ssh://[email protected]/abc'
gix clone -- '[email protected]:abc/def'

Impact

As in GHSA-rrjw-j4m2-mf34, this would typically require user interaction to trigger an attempt to clone or otherwise connect using the malicious URL. Furthermore, known means of exploiting this vulnerability to execute arbitrary commands require further preparatory steps to establish a specially named file in the current directory. The impact is therefore expected to be lesser, though it is difficult to predict it with certainty because it is not known exactly what scenarios will arise when using the gix-transport library.

Users who use applications that make use of gix-transport are potentially vulnerable, especially:

  • On repositories with submodules that are automatically added, depending how the application manages submodules.
  • When operating on other repositories from inside an untrusted repository.
  • When reviewing contributions from untrusted developers by checking out a branch from an untrusted fork and performing clones from that location.

Release Notes

Byron/gitoxide (gix)

v0.62.0: gix v0.62

Compare Source

Please note that this release contains a security fix originally implemented in gix-transport via this PR which prevents ssh options to be smuggled into the ssh command-line invocation with a username provided to a clone or fetch URL.

Details can be found in the advisory.

Bug Fixes
  • into_index_worktree_iter() now takes an iterator, instead of a Vec.
    This makes the API more consistent, and one can pass None
    as well.

  • show submodules in status independently of their active state.
    Even inactive submodules are shown in the status by git status,
    so gix should do the same.

    First observed in https://github.com/helix-editor/helix/pull/5645#issuecomment-2016798212

  • forward curl rustls feature from gix-transport to avoid curl in gix.
    This removes the curl dependency just for configuring it, and removes
    a hazard which became evident with reqwest.

Bug Fixes (BREAKING)
  • Make topo more similar to Ancestors, but also rename Ancestors to Simple
Commit Statistics
Thanks Clippy

Clippy helped 1 time to make code idiomatic.

Commit Details

v0.61.1: gix v0.61.1

Compare Source

This release also updates reqwest to v0.12, bringing hyper 1.0 and a more recent rustls version.

Bug Fixes
  • missing closing backtick in gix lib documentation
Commit Statistics
  • 7 commits contributed to the release over the course of 2 calendar days.
  • 3 days passed between releases.
  • 1 commit was understood as conventional.
  • 0 issues like '(#ID)' were seen in commit messages
Commit Details
view details
  • Uncategorized
    • Prepare changelogs prior to release (7018a92)
    • Merge branch 'patch-1' (8fde62b)
    • Turncurl into a workspace package (adee500)
    • Make reqwest a workspace package (369cf1b)
    • Merge pull request #​1325 from kdelorey/fix/simple-docs-formatting (3b34699)
    • Fixed opening of backtick in documentation. (f1bc4cd)
    • Missing closing backtick in gix lib documentation (e1fec3c)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@rustbot
Copy link
Collaborator

rustbot commented Apr 15, 2024

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @ehuss (or someone else) some time within the next two weeks.

Please see the contribution instructions for more information. Namely, in order to ensure the minimum review times lag, PR authors and assigned reviewers should ensure that the review label (S-waiting-on-review and S-waiting-on-author) stays updated, invoking these commands when appropriate:

  • @rustbot author: the review is finished, PR author should check the comments and take action accordingly
  • @rustbot review: the author is ready for a review, this PR will be queued again in the reviewer's queue

@rustbot rustbot added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Apr 15, 2024
@epage epage force-pushed the renovate/crate-gix-vulnerability branch from 98edb1a to 1a111ab Compare April 16, 2024 00:39
@epage
Copy link
Contributor

epage commented Apr 16, 2024

@bors r+

@bors
Copy link
Contributor

bors commented Apr 16, 2024

📌 Commit 1a111ab has been approved by epage

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Apr 16, 2024
@bors
Copy link
Contributor

bors commented Apr 16, 2024

⌛ Testing commit 1a111ab with merge add150c...

@bors
Copy link
Contributor

bors commented Apr 16, 2024

☀️ Test successful - checks-actions
Approved by: epage
Pushing add150c to master...

@bors bors merged commit add150c into master Apr 16, 2024
23 checks passed
@bors bors deleted the renovate/crate-gix-vulnerability branch April 16, 2024 02:34
bors added a commit to rust-lang-ci/rust that referenced this pull request Apr 17, 2024
Update cargo

11 commits in 48eca1b164695022295ce466b64b44e4e0228b08..6f06fe908a5ee0f415c187f868ea627e82efe07d
2024-04-12 21:16:36 +0000 to 2024-04-16 18:47:44 +0000
- fix(toml): Error on `[project]` in Edition 2024 (rust-lang/cargo#13747)
- feat(update): Include a Locking message (rust-lang/cargo#13759)
- chore(deps): update rust crate gix to 0.62.0 [security] (rust-lang/cargo#13760)
- test(schemas): Ensure tests cover the correct case (rust-lang/cargo#13761)
- feat(resolve): Tell the user the style of resovle done (rust-lang/cargo#13754)
- Make sure to also wrap the initial `-vV` invocation (rust-lang/cargo#13659)
- docs: update `checkout` GitHub action version (rust-lang/cargo#13757)
- Recategorize cargo test's `--doc` flag under "Target Selection" (rust-lang/cargo#13756)
- Reword sentence describing workspace toml for clarity (rust-lang/cargo#13753)
- docs(ref): Update unstable docs for msrv-policy (rust-lang/cargo#13751)
- refactor(config): Consistently use kebab-case (rust-lang/cargo#13748)

r? ghost
@rustbot rustbot added this to the 1.79.0 milestone Apr 17, 2024
github-actions bot pushed a commit to rust-lang/miri that referenced this pull request Apr 17, 2024
Update cargo

11 commits in 48eca1b164695022295ce466b64b44e4e0228b08..6f06fe908a5ee0f415c187f868ea627e82efe07d
2024-04-12 21:16:36 +0000 to 2024-04-16 18:47:44 +0000
- fix(toml): Error on `[project]` in Edition 2024 (rust-lang/cargo#13747)
- feat(update): Include a Locking message (rust-lang/cargo#13759)
- chore(deps): update rust crate gix to 0.62.0 [security] (rust-lang/cargo#13760)
- test(schemas): Ensure tests cover the correct case (rust-lang/cargo#13761)
- feat(resolve): Tell the user the style of resovle done (rust-lang/cargo#13754)
- Make sure to also wrap the initial `-vV` invocation (rust-lang/cargo#13659)
- docs: update `checkout` GitHub action version (rust-lang/cargo#13757)
- Recategorize cargo test's `--doc` flag under "Target Selection" (rust-lang/cargo#13756)
- Reword sentence describing workspace toml for clarity (rust-lang/cargo#13753)
- docs(ref): Update unstable docs for msrv-policy (rust-lang/cargo#13751)
- refactor(config): Consistently use kebab-case (rust-lang/cargo#13748)

r? ghost
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants